MoleRats: there’s more to the naked eye

There has been some recent news regarding the activities of a Middle Eastern threat group known as MoleRats (or Gaza Hackers Team)[1]. We are releasing this blog which contains indicators to help security professionals in detecting this activity.

Please contact us on [email protected] and we would be happy to send you a TLP-AMBER version of this report containing further information that you are welcome to distribute further in line with the US-CERT definition for TLP.

Recent Reports

In the past few days, both Vectra Networks and PaloAlto have released reports relating to new activities carried out by the MoleRats group:

Vectra Networks describes a campaign they refer to as Moonlight and provides an overview of the decoy documents, malware (H-worm and njRAT) and infrastructure.[2]

Palo Alto describes a new version of H-worm and focuses on its modules and infrastructure.[3]

PwC analysts have been tracking the same malware campaign, which has seen a noticeable spike since at least April 2016. The attackers have targeted Arabic news websites, political figures and other targets that possess influence in the Palestinian territories and other neighbouring Arab countries.

Our investigation began by analysing around 20 executable files associated with the attacks. Several of these files opened decoy documents and audio files, which were exclusively in Arabic-language. The filenames are translated as follows (this is not a complete list):

- Son of Hamas preacher arrested by counter-narcotics police;

- Voice recording of an Egyptian-UAE meeting;

- Leak relating to a UAE security meeting;

- President gets rid of Fatah leadership and replaces it with Abu Samhadanah; and

- General Lino responsible for moral projection of Zakaria Al-Agha

The most common way the malware was packaged in the MoleRats’ campaign was through a self-extracting RAR file; however the attackers also appear to have used several other solutions to drop their malware, including a Visual Basic-based wrapper and an Auto-IT based wrapper.

The identification of decoy documents and audio files infers that the malware may have been delivered through spear phishing; however our research has not been able to find any emails relating to the campaign.